Page 1 of 1
Oxygen Author Eclipse 23.0 with log4j fix
Posted: Wed Dec 15, 2021 8:00 pm
by mu258770
Hi team,
We are using Oxygen Author 23.0 ZIP distribution package for Eclipse in our setup currently. We have seen that the vulnerable log4j version is used in this Oxygen package.
We have seen you already released 23.1 and 24.0 with the fixes. But upgrading 23.0 to 23.1 in our setup would be time taking.
Could you please let us know if you have new build for Oxygen Author 23.0 for Eclipse? Or is there any solution for this version?
Regards,
Shabeer
Re: Oxygen Author Eclipse 23.0 with log4j fix
Posted: Thu Dec 16, 2021 9:09 am
by Radu
Hi Shabeer,
We will not issue installation kits for 23.0 with the updated logging libraries so my recommendation is to use 23.1.
As a workaround you can set a certain system property in the eclipse.ini or set an environmental variable when starting Eclipse as it's mentioned here:
https://blog.oxygenxml.com/topics/oxyge ... s_faq.html
Regards,
Radu
Re: Oxygen Author Eclipse 23.0 with log4j fix
Posted: Wed Dec 29, 2021 1:27 pm
by mu258770
Hi Radu,
Thank you for the response.
We have upgraded Oxygen to 23.1 from 23.0 and we see it uses log4j 2.16.
We also got information that apache has releases 2.17.0 version of log4j and is more secure. Could you please let us know if you are planning to upgrade it in Oxygen Authors? If so, when it can be? If it is available for 23.1 already, could you please share me the download link?
Regards,
Shabeer
Re: Oxygen Author Eclipse 23.0 with log4j fix
Posted: Wed Dec 29, 2021 3:35 pm
by tavy
Hello Shabeer,
The flaw in log4j 2.16 that was resolved in 2.17 regards a denial of service vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
Please see:
https://www.oxygenxml.com/security/advi ... 45105.html
Oxygen products use a log4j configuration that does not change the default Pattern Layout. The vulnerability cannot be exploited unless a trusted party explicitly modifies the logging configuration to use a Pattern Layout with a Context Lookup. For this reason we have rated the severity level of this vulnerability for our products as low.
Since this is not a security issue for desktop applications, a security maintenance will not be issued for our desktop products at this time. By desktop applications I refer to Oxygen XML Editor/Author/Developer/Publishing Engine/WebHelp/Chemistry.
Nonetheless, future maintenance builds for our products that are still under maintenance will update log4j to 2.17 or later.
If you want to mitigate the issue and replace the log4j libraries with 2.17 at this time, please see the Mitigation section from the security advisory.
Best Regards,
Octavian
Re: Oxygen Author Eclipse 23.0 with log4j fix
Posted: Thu Mar 10, 2022 10:45 am
by mu258770
Hi,
Thank you for the details.
We have also seen a new patcher developed by Radu which replaces log4j version with latest one.
We have run the patcher and that Log4J versions in our Oxygen Author 23.1 Eclipse plugin got replaced. But after we launch the application, Oxygen author stopped loading and it shows "ClassNotFoundException".
Please see the error messages below:
Code: Select all
org.eclipse.core.runtime.CoreException: Plug-in com.oxygenxml.author was unable to load class com.oxygenxml.editor.editors.xml.XMLEditor.
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.throwException(RegistryStrategyOSGI.java:194)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:176)
at org.eclipse.core.internal.registry.ExtensionRegistry.createExecutableExtension(ExtensionRegistry.java:905)
at org.eclipse.core.internal.registry.ConfigurationElement.createExecutableExtension(ConfigurationElement.java:243)
at org.eclipse.core.internal.registry.ConfigurationElementHandle.createExecutableExtension(ConfigurationElementHandle.java:55)
at org.eclipse.ui.internal.WorkbenchPlugin.lambda$0(WorkbenchPlugin.java:288)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:70)
at org.eclipse.ui.internal.WorkbenchPlugin.createExtension(WorkbenchPlugin.java:285)
at org.eclipse.ui.internal.registry.EditorDescriptor.createEditor(EditorDescriptor.java:232)
at org.eclipse.ui.internal.EditorReference.createPart(EditorReference.java:329)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityPart.createPart(CompatibilityPart.java:293)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityEditor.createPart(CompatibilityEditor.java:63)
at org.eclipse.ui.internal.e4.compatibility.CompatibilityPart.create(CompatibilityPart.java:331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.e4.core.internal.di.MethodRequestor.execute(MethodRequestor.java:55)
at org.eclipse.e4.core.internal.di.InjectorImpl.processAnnotated(InjectorImpl.java:990)
at org.eclipse.e4.core.internal.di.InjectorImpl.processAnnotated(InjectorImpl.java:955)
at org.eclipse.e4.core.internal.di.InjectorImpl.inject(InjectorImpl.java:124)
at org.eclipse.e4.core.internal.di.InjectorImpl.internalMake(InjectorImpl.java:399)
at org.eclipse.e4.core.internal.di.InjectorImpl.make(InjectorImpl.java:318)
at org.eclipse.e4.core.contexts.ContextInjectionFactory.make(ContextInjectionFactory.java:162)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.createFromBundle(ReflectionContributionFactory.java:105)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.doCreate(ReflectionContributionFactory.java:74)
at org.eclipse.e4.ui.internal.workbench.ReflectionContributionFactory.create(ReflectionContributionFactory.java:56)
at org.eclipse.e4.ui.workbench.renderers.swt.ContributedPartRenderer.createWidget(ContributedPartRenderer.java:129)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.createWidget(PartRenderingEngine.java:992)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.safeCreateGui(PartRenderingEngine.java:661)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.safeCreateGui(PartRenderingEngine.java:767)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.access$0(PartRenderingEngine.java:738)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$2.run(PartRenderingEngine.java:732)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:42)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.createGui(PartRenderingEngine.java:716)
at org.eclipse.e4.ui.workbench.renderers.swt.StackRenderer.showTab(StackRenderer.java:1293)
at org.eclipse.e4.ui.workbench.renderers.swt.LazyStackRenderer.lambda$0(LazyStackRenderer.java:68)
at org.eclipse.e4.ui.services.internal.events.UIEventHandler$1.run(UIEventHandler.java:40)
at org.eclipse.swt.widgets.Synchronizer.syncExec(Synchronizer.java:233)
at org.eclipse.ui.internal.UISynchronizer.syncExec(UISynchronizer.java:144)
at org.eclipse.swt.widgets.Display.syncExec(Display.java:4889)
at org.eclipse.e4.ui.internal.workbench.swt.E4Application$1.syncExec(E4Application.java:212)
at org.eclipse.e4.ui.services.internal.events.UIEventHandler.handleEvent(UIEventHandler.java:36)
at org.eclipse.equinox.internal.event.EventHandlerWrapper.handleEvent(EventHandlerWrapper.java:201)
at org.eclipse.equinox.internal.event.EventHandlerTracker.dispatchEvent(EventHandlerTracker.java:197)
at org.eclipse.equinox.internal.event.EventHandlerTracker.dispatchEvent(EventHandlerTracker.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.equinox.internal.event.EventAdminImpl.dispatchEvent(EventAdminImpl.java:135)
at org.eclipse.equinox.internal.event.EventAdminImpl.sendEvent(EventAdminImpl.java:78)
at org.eclipse.equinox.internal.event.EventComponent.sendEvent(EventComponent.java:39)
at org.eclipse.e4.ui.services.internal.events.EventBroker.send(EventBroker.java:52)
at org.eclipse.e4.ui.internal.workbench.UIEventPublisher.notifyChanged(UIEventPublisher.java:60)
at org.eclipse.emf.common.notify.impl.BasicNotifierImpl.eNotify(BasicNotifierImpl.java:374)
at org.eclipse.e4.ui.model.application.ui.impl.ElementContainerImpl.setSelectedElement(ElementContainerImpl.java:173)
at org.eclipse.e4.ui.internal.workbench.ModelServiceImpl.showElementInWindow(ModelServiceImpl.java:620)
at org.eclipse.e4.ui.internal.workbench.ModelServiceImpl.bringToTop(ModelServiceImpl.java:584)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.delegateBringToTop(PartServiceImpl.java:769)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.bringToTop(PartServiceImpl.java:401)
at org.eclipse.e4.ui.internal.workbench.PartServiceImpl.showPart(PartServiceImpl.java:1188)
at org.eclipse.ui.internal.WorkbenchPage.busyOpenEditor(WorkbenchPage.java:3261)
at org.eclipse.ui.internal.WorkbenchPage.access$25(WorkbenchPage.java:3176)
at org.eclipse.ui.internal.WorkbenchPage$10.run(WorkbenchPage.java:3158)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:70)
at org.eclipse.ui.internal.WorkbenchPage.openEditor(WorkbenchPage.java:3153)
at org.eclipse.ui.internal.WorkbenchPage.openEditor(WorkbenchPage.java:3117)
at com.ixiasoft.dita.eclipse.actions.OpenWithAction.run(OpenWithAction.java:136)
at org.eclipse.jface.action.Action.runWithEvent(Action.java:473)
at org.eclipse.jface.action.ActionContributionItem.handleWidgetSelection(ActionContributionItem.java:565)
at org.eclipse.jface.action.ActionContributionItem.lambda$4(ActionContributionItem.java:397)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:86)
at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4428)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1079)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4238)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3817)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1150)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:336)
at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1039)
at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:153)
at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:680)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:336)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:594)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:148)
at org.eclipse.ui.internal.ide.application.IDEApplication.start(IDEApplication.java:151)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:388)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:243)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:653)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:590)
at org.eclipse.equinox.launcher.Main.run(Main.java:1499)
Caused by: java.lang.ClassNotFoundException: An error occurred while automatically activating bundle com.oxygenxml.author (829).
at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:112)
at org.eclipse.osgi.internal.loader.classpath.ClasspathManager.findLocalClass(ClasspathManager.java:529)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.findLocalClass(ModuleClassLoader.java:328)
at org.eclipse.osgi.internal.loader.BundleLoader.findLocalClass(BundleLoader.java:368)
at org.eclipse.osgi.internal.loader.sources.SingleSourcePackage.loadClass(SingleSourcePackage.java:36)
at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:442)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:395)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:387)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:150)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671)
at java.lang.Class.getConstructor0(Class.java:3075)
at java.lang.Class.newInstance(Class.java:412)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:184)
at org.eclipse.core.internal.registry.ExtensionRegistry.createExecutableExtension(ExtensionRegistry.java:905)
at org.eclipse.core.internal.registry.ConfigurationElement.createExecutableExtension(ConfigurationElement.java:243)
at org.eclipse.core.internal.registry.ConfigurationElementHandle.createExecutableExtension(ConfigurationElementHandle.java:55)
at org.eclipse.ui.internal.WorkbenchPlugin.lambda$0(WorkbenchPlugin.java:288)
at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:52)
at org.eclipse.ui.internal.WorkbenchPlugin.createExtension(WorkbenchPlugin.java:285)
at org.eclipse.ui.internal.EarlyStartupRunnable.run(EarlyStartupRunnable.java:53)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:42)
at org.eclipse.ui.internal.Workbench$40.run(Workbench.java:2747)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:56)
Caused by: org.osgi.framework.BundleException: Error starting module.
at org.eclipse.osgi.container.Module.doStart(Module.java:590)
at org.eclipse.osgi.container.Module.start(Module.java:449)
at org.eclipse.osgi.framework.util.SecureAction.start(SecureAction.java:468)
at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:103)
... 24 more
Caused by: java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/Layout
at com.oxygenxml.editor.EditorPlugin.<clinit>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at org.eclipse.osgi.internal.framework.BundleContextImpl.loadBundleActivator(BundleContextImpl.java:763)
at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:716)
at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:933)
at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:309)
at org.eclipse.osgi.container.Module.doStart(Module.java:581)
... 27 more
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.Layout cannot be found by com.oxygenxml.author_23.1.0.v2021121415
at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:484)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:395)
at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:387)
at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:150)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 38 more
Could you please let us know why the patcher is not working with our Oxygen Author 23.1 Eclipse plugin.
Regards,
Shabeer
Re: Oxygen Author Eclipse 23.0 with log4j fix
Posted: Thu Mar 10, 2022 4:15 pm
by adrian
Hello,
The error indicates the class loader cannot find classes from the log4j core jar. So Eclipse doesn’t seem to be aware of the jar change. Check the references to log4j jars from META-INF\MANIFEST.MF in the Oxygen plugin folder.
Try running Eclipse with the -clean argument.
If the problem persists, try with a new Eclipse workspace as the current one may still have some caches that indicate the original (replaced) jars.
Regards,
Adrian